5 scans of 12345 in a couple of hours. AUSCERT#36349

[r.fulton () AUCKLAND AC NZ (Russell Fulton)]

Greetings,
        I have seen a repeat of a group of incidents that I reported to
SANS, AusCERT and Securityfocus' Incident list a couple of weeks ago.

Then we saw 4 scans of tcp port 12345 within a few hours, most of the
scans came from ISP dialup addresses from around the world.  The thing
that makes these scans conspicuously related (apart from the same dst
port) is that all start at address 11 in a /24 network and scan upward
towards 255 -- some stop short of that though.  Up to 4 syn packets are
sent to each address with aprox one second between packets.
The scans target different /24s in our /16 address space.

Then, I theorized that 11 was a typo for 1 and no one has come up with
a better suggestion.  I did not receive any 'me toos' in response to my
posts, are these really just targeted at us?  More likely the scans are
supposed to target a random class C but the programmer has failed to
initialize the random number generator properly and the scans are in
fact only targeting a small address space, somewhere around 130.216/16.

One other detail, the source ports increment regularly suggesting that
the scans are done using native stack.

One response that I got suggested that this was something that was
being distributed via IRC or ICQ -- this sounds plausible, it would
certainly account for the strange clumping of the scans in time.  It
would also explain why some scans terminate prematurely -- who ever is
running it gets the idea that they are running a trojan and hits ^C!

This morning NZST (UTC +1200) I have seen another 5 of these scans
within the last couple of hours from: bellsouth.net[209.214.106.68],
pompano.net[24.26.48.126], MTY.ITESM.MX [207.249.103.172],
nh.da.uu.net[63.21.109.15] and somewhere in mexico [148.246.49.124]
(Arin pointed to nic.mx but i could not find any info in whois.nic.mx).

So far as I can tell these scans are indistinguishable from the ones I
saw two weeks ago.

Cheers, Russell.